comments (not for humans)
ADAM is a good store for users in .NET, but some things tend to take long time to figure out. One of these are password managment. This post will explain a method for setting a user's password from code (for resetting a password, changing a password etc.).
[...]
Sensitive or confidential information should appear in the log, but unfortunately both frameworks, data sources and custom code tend to do this.
[...]
I found an interesting article at blogs.securityteam.com. This article explains how virtual keyboard solutions can be circumvented in phishing attempts. Read more here: Defeating Image-Based Virtual Keyboards and Phishing Banks
[...]
Michael Sutton wrote an interesting blog post:Top 10 Signs You Have an Insecure Web App. It's interesting to see how a lot of these mistakes are actually found by google, making it really easy for potential attackers.[...]
Ruby on rails (RoR) is rapidly gaining popularity as a platform for developing web applications. However most tutorials teach you to write highly unsecure code that will allow attackers to exploit your applications. This is especially true for XSS (Cross Site Scripting).
[...]
The author of this report uses Google to find sites with SQL injection vulnerabilities. The results are that 11,3% of the assessed sites are open for SQL-injection. SQL injection is still one of the most common web application vulnerabilities.
[...]
The clever people at Stanford University has developed a browser plugin to avoid or limit the effect of certain phishing attacks.
[...]
Many web sites have SQL-injection and XSS (Cross Site Scripting) vulnerabilities, and security articles often mention lack of input validation as the reason for these problems. This isn't necessarily correct.
[...]
There has been a lot of writing on the web lately about Ajax being a major security concern for web applications. But are these concerns really justified? I just read a great article about this on "A Port80 Software Blog": Fear, Uncertainty and Doubt in Web 2.0
[...]
You may sometimes need to unescape HTML escaped strings in javascript. I found a neat trick to do this using the browser internal escaping.
[...]